Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Kernel Back-Door Hack Attempt Discovered

Posted by simoniker on from the intrigue-and-skullduggery dept.

An anonymous reader writes "The BitKeeper to CVS gateway was apparently hacked in an attempt to add a root exploit back door to the Linux kernel, according to the linux-kernel archive. The change was in the file kernel/exit.c and changed the user ID of a process to root under the guise of checking the validity of some flags. The core Linux BitKeeper kernel repository was not at risk, and in fact it was the BitKeeper CVS export scripts that detected the unauthorized modifications to CVS. The changes were falsely attributed in CVS to long-time Linux developer davem (David Miller). Users of the BKCVS repository should resync their trees to remove the offending code if they had replicated it since yesterday."

5 of 687 comments (clear)

  1. Re:Well well by chill · · Score: 5, Interesting

    Good to see the system works. You would wonder what would happen if said hacker was working for a company on a similar closed source program. Would it have been detected?

    You mean like Borland's Interbase? The compiled in backdoor wasn't discovered until after the database opensourced.

    My favorite quote from the advisory is:

    "This vulnerability was not introduced by unauthorized modifications to the original vendor's source. It was introduced by maintainers of the code within Borland. The back door account password cannot be changed using normal operational commands, nor can the account be deleted from existing vulnerable servers [see References]."

    How long was it in there? "These security holes affect all version of InterBase shipped since 1994, on all platforms."

    The advisory dates from 2001 -- you do the math.

    --
    Learning HOW to think is more important than learning WHAT to think.
  2. Re:Well well by Narphorium · · Score: 5, Interesting
    Although I see where you're going with this, I think a lot of people might ask whether this shows vulnerability in OSS instead. Sure, you and I appreciate this as a validation of the system but is that really how the media is going to portray it?

    All I'm saying is that I certainly won't be surprised when closed source vendors start using this in their anti-OSS campaigns.

  3. Re:Well well by blair1q · · Score: 4, Interesting

    It was only detected because software found a discrepancy.

    This would happen at any closed-source shop that had the same software.

    No human eyes discovered the problem, and if someone hadn't installed the checks, it might not have been discovered for months or years or ever.

  4. Re:Well well by DunbarTheInept · · Score: 4, Interesting


    Kinda proves Steve Ballmer's comments about the lack of security in Open Source development, doesn't it?!
    No. I just proves you're a posturing idiot. The crack was detected as soon as it was attempted to be inserted, in the experimental development version of the code that hadn't even made it into any final distributions yet.

    And here's another example of your idiocy:

    If it happened in a software company, the hacker would be fired and probably charged with some kind of "espionage" charge and arrested.

    This wasn't an "inside" job. If this happened at a company, to fill the analogy, it would have been an external person, NOT someone they could fire.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  5. Re:Well well [Thompson: Reflections on Trust] by muonzoo · · Score: 5, Interesting

    Of course, at some point, we do have to trust someone.
    Ken Thompson wrote an original speculative essay on this for CACM back in 1984 of all years.

    It is really well worth the read. The short form is that there exists a way to subvert the compiler such that it is no longer trustable and it will build a back door into the OS forevermore. This paper is a must read.